Kaspersky Lab has found malware-laden Chrome extensions, along with a criminal gang playing cat and mouse with Google by releasing several variations of its wares.

The attacks manifest as suggestions to download Facebook apps. Those apps are, alas, not real. Instead they are malware and, in one case, a malware-laden Chrome extension hosted in Google's very own Chrome Web Store.

The malware pretends to be a Flash Player installer but instead downloads a Trojan which writes messages to a victim's Facebook profile and automatically Likes certain pages.
...

There was a thread sometime ago about whether or not Google has a system in place to verify rogue extensions. I even provided links with evidence that they don't.

This is just another great example. Unless someone is familiar with the people behind an extension, then one should stay the heck away from any of them, which probably means 99% of them. Pretty insane.

And, I still do not understand why Google hasn't done nothing about this. Why haven't they implement a system to verify extensions, before uploading them to Chrome Web Store?

I hope Google starts to have some bad advertising about it, everywhere. Once it starts happening, a change will happen. I like to think that it would.

But, you're being drastic when you say I'm tempted to say: "Think twice before installing Chrome as long as Google isn't doing their homework"..

Even Firefox, which I do praise Mozilla's work to prevent rogue extensions, doesn't come without its own issues. Heck, I remember a fight between two very popular extensions, where one of the developers introduced code to prevent the other extension from working. So... not exactly malware, but nonetheless an extension that went rogue.

I don't think it's drastic to feel uncertain about installing Chrome. This is a company constantly getting its own self in trouble, and they themselves make it hard to trust anything Google. You're right about Firefox extensions having issues, extensions there have a bit too much power, imo. However, at least the majority of them (if not all, maybe excluding the likes of AdBlock and NoScript) go through some kind of vetting process.

Over in Chrome you get some half-assed "about the developer" thing, which can easily be tainted or outright faked, and very little else. Sometimes you can go by the comments, but who is to say the comments aren't planted? (the same could be said for Firefox extension comments as well).

As discussed before the only time extensions are checked is when they load up binaries. This obviously is not enough. Malware can work within the sandbox - we see this with android.

Google will be idiotic about this and not do anything until it's too late. Implementing a "bouncer" after hackers already have started getting money out of it is just going to make them try a bit harder.

There should have been a bouncer from day one.

Hopefully they actually do something but I am not confident.

EDIT:

I don't think it's drastic to feel uncertain about installing Chrome. This is a company constantly getting its own self in trouble, and they themselves make it hard to trust anything Google. You're right about Firefox extensions having issues, extensions there have a bit too much power, imo. However, at least the majority of them (if not all, maybe excluding the likes of AdBlock and NoScript) go through some kind of vetting process.

Tlu said it was tempting to say to avoid installing Chrome based on "Google not doing its homework", which I happen to agree with. Whether it's not minding the shop when it comes to extensions, or one of many issues Google is involved in at a given time, it's difficult to place trust in them for many, myself included.

Chrome is a good browser, Google is not a good company (anymore). Rather silly to use a product from a company that's hard to trust, right? I really wish they'd get their s*** straight, I really do. I'm not confident they will though either. They've had years now to put something in place, knowing extensions were likely attack vectors. Maybe they don't want to admit they aren't perfect, I don't know.

I agree that it's difficult to use a product from a company you don't trust. At this point I'd be wary to use Chrome based on other things if I weren't confident that it was fine based on packet sniffing and the fact that it is largely open source.

My friend at Mozilla keeps pushing me to use Firefox though lol and he is convincing. If I hadn't done my homework I likely would have switched already.

Tlu said it was tempting to say to avoid installing Chrome based on "Google not doing its homework", which I happen to agree with. Whether it's not minding the shop when it comes to extensions, or one of many issues Google is involved in at a given time, it's difficult to place trust in them for many, myself included.

Click to expand...

I totally agree with this. I admit I use some Google services as it's difficult not to, but their apathetic approach to security with extensions & some other Google issues quite frankly scare me.

dw426 said:

Chrome is a good browser, Google is not a good company (anymore). Rather silly to use a product from a company that's hard to trust, right? I really wish they'd get their s*** straight, I really do. I'm not confident they will though either. They've had years now to put something in place, knowing extensions were likely attack vectors. Maybe they don't want to admit they aren't perfect, I don't know.

Click to expand...

Chrome is relatively stable, safe & more or less bug free. As for Google, isn't their new motto "Resistance is futile"?

But, aren't you folks mixing things? One thing is privacy, another thing is security.

Click to expand...

Dodgy Google privacy policy issues aside; I was referring primarily to the lapse security at the Chrome Store.

m00nbl00d said:

I have doubts you're saying not to trust in Google due to security issues. This thread is about a security issue, in what comes to extensions, considering there's no vetting process.

Click to expand...

I will concede that Chrome is the safest browser 'out of the box', which is a good security policy by Google. The slacking at the Chrome Store however could be a portent of things to come from Google. Sometimes companies get too big for their boots.

m00nbl00d said:

I could very well say I don't trust Internet Explorer either; nor Firefox or Opera. Which is why I use Chromium. But, that's not the issue.

But, aren't you folks mixing things? One thing is privacy, another thing is security.

I have doubts you're saying not to trust in Google due to security issues. This thread is about a security issue, in what comes to extensions, considering there's no vetting process.

I could very well say I don't trust Internet Explorer either; nor Firefox or Opera. Which is why I use Chromium. But, that's not the issue.

Click to expand...

I'm not mixing things at all, my post was in fact referring to its security. Though, honestly, in today's world, privacy and security often go hand in hand. After all, if a company is invading your privacy in the form of tracking and what have you, it is also hampering a part of your security. But I get what you mean, and no, I don't intend to turn this into a Google rant.

Their general company practices are well known, their intent is well known, so we needn't beat a dead horse. This is about their extension process, and said process frankly sucks.

I'm not mixing things at all, my post was in fact referring to its security. Though, honestly, in today's world, privacy and security often go hand in hand. After all, if a company is invading your privacy in the form of tracking and what have you, it is also hampering a part of your security. But I get what you mean, and no, I don't intend to turn this into a Google rant.

Their general company practices are well known, their intent is well known, so we needn't beat a dead horse. This is about their extension process, and said process frankly sucks.

Click to expand...

Yeah, I actually misundertood your post. Don't know why, but I associated it with privacy.

But yes, they should get their **** together. This isn't funny any longer. Google Chrome Web Store is weak spot, and they must take care of it once and for all.

It's actually pretty crazy if you think about it. All a cybercriminal has to do is have a website with some dead video saying the user needs to install Adobe Flash Player. Maybe the user knows he/she shouldn't install programs from non-official sources. But, this website actually says to download Adobe Flash Player from Chrome Web Store - Google's official website for extensions. Maybe they think OK. Maybe Google partnered with the folks behind Flash Player. I'll install it.

Quite a few security researchers have shown that Chrome Web Store simply has no vetting process to spot this malicious extensions. One has to wonder why Google still hasn't done anything about it.

Maybe it isn't getting that bad publicity about it? That would be a strong bet... Maybe this needs to change.

... Though, honestly, in today's world, privacy and security often go hand in hand. After all, if a company is invading your privacy in the form of tracking and what have you, it is also hampering a part of your security. ...

Click to expand...

This is an unsubstantiated claim. But it is fashionable and emotive and is being exploited.

And your point is? I suppose I should have put the emoticon in my previous post... Then again, and I don't know if this reply was meant for me, I did not say I don't trust Google. lol

Click to expand...

My point is exactly that: even in the Ubuntu forums, I've seen anti-Chrome rants and suggestions to use Chromium instead without any recognition or admission that both browsers are made by the same entity.

Whether to trust something or the other is certainly not a decision to be based on ambient noise.

My point is exactly that: even in the Ubuntu forums, I've seen anti-Chrome rants and suggestions to use Chromium instead without any recognition or admission that both browsers are made by the same entity.

Whether to trust something or the other is certainly not a decision to be based on ambient noise.

Click to expand...

Then, I'll have to ask again: What's your point?

You came up with For those who don't know, both Chrome and Chromium are made by Google. It seems necessary to point this out.

Apparently, as a reply to one of my posts. Although, nowhere in that same post I made mentions to Google Chrome. Which is why I'm asking: What's your point?

This is an unsubstantiated claim. But it is fashionable and emotive and is being exploited.

Click to expand...

Err, hate to derail this..but where are you getting unsubstantiated from? There's plenty of proof for Google tracking, and, if you're trying to argue that privacy is not related to security, well, I don't see how you can come up with that either.

I don't think it's drastic to feel uncertain about installing Chrome. This is a company constantly getting its own self in trouble, and they themselves make it hard to trust anything Google. You're right about Firefox extensions having issues, extensions there have a bit too much power, imo. However, at least the majority of them (if not all, maybe excluding the likes of AdBlock and NoScript) go through some kind of vetting process.

@vasa1: Thanks for pointing out that both Chrome & Chromium are developed by Google. In so many articles, blogs, posts I have seen authors recommending to chuck Chrome and embrace Chromium as it is open source and do not contain "proprietary Google code"

vasa1 said:

This is an unsubstantiated claim. But it is fashionable and emotive and is being exploited.

Click to expand...

What is unsubstantiated that you are referring to? Google's tracking or privacy and security often going hand in hand?